Unofficial Patch Released for IE Flaw

A team of security gurus today released an unofficial security fix for a serious flaw in Microsoft's default Web browser and e-mail software. The action comes as computer security organizations in the United States and elsewhere are issue alarms that the Internet Explorer flaw is currently being exploited by online criminals to install spyware on vulnerable computers.

Microsoft said it expects to ship an update to fix the problem on Oct. 10. In the meantime, the company is recommending a workaround to disable the IE flaw until a patch is ready.

"We just felt that the risk posed by some exploits that are coming out are too great to just sit around and wait for Microsoft to issue a patch," said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks and a ZERT co-founder.

ZERT members say they have tested the patch fairly thoroughly, but they include this caveat:

"Please keep in mind while the group performs extensive testing of any patches before releasing them, it is impossible for us to test our patches with each possible system configuration and in each usage scenario. We validate patches to the best of our ability, noting the environments in which the tests were performed and the test results."

Alarm Bells

Several security organizations have issued warnings that criminals have programmed an increasing number of Web sites to exploit the IE flaw and install malicious software on any vulnerable computer that visits one of the sites.

The SANS Internet Storm Centerswitched its alert level from green to yellow today, noting that the means for wielding this exploit to install malicious software "is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly."

AusCERT, the Australian Computer Emergency Response Team, said it has seen widespread e-mails urging users to click on links to Web sites that exploit the flaw to install malicious software.

Some malicious sites appear to be using the exploit to silently install spyware and adware, while others are seeding visitors' Windows machines with hard-to-remove keystroke loggers or "form grabbers" designed to steal username, password and financial data when users enter data at bank or e-commerce Web sites.

Thursday evening, attackers wielding this latest IE exploit hacked into the servers for Host Gator, a Web hosting company based in Boca Raton, Fla. Jason Muni, Host Gator's general manager, said attackers reconfigured an unknown number of Web sites hosted on the company's servers to redirect visitors to a third-party Web site that tried to load the IE exploit. Muni said the company had to reconfigure all of its 200 hosting servers to clean up the mess, fixes that caused extended outages for most of the company's 40,000 customers.

Ken Dunham, director of iDefense Rapid Response Team at VeriSign, said his company saw about 500 of the Host Gator's customer sites redirecting to the exploit site.

Meanwhile, Websense Security Labs issued a report listing dozens of sites already using the flaw to install malicious programs. Dan Hubbard, Websense's vice president of security research, said the exploit is also being folded into Webattacker, a software tool circulating in the online criminal world that can be used to set up fake Web sites for the purpose of ID theft and fraud.

Hubbard said about 10,000 Web sites use the Webattacker tool, which is sold for less than $20 at several online sites (and even includes tech support for buyers). Many of those sites that currently use Webattacker are beginning to upgrade to the latest version, meaning that very soon the Internet will likely be littered with sites that try to exploit the IE flaw.

Webattacker clients are often in the spam and spyware business, making them well versed in using fake blogs, spam and other methods to pump up the search engine listings for their sites. Hubbard said he expects those individuals will be doing the same for the sites they've created to exploit this particular IE flaw.

Microsoft's Fix

Experts contacted by Security Fix said Microsoft's suggested workaround appears sufficient to prevent the exploit from working. To disable the flawed component in Windows, do the following:

1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.

2) Cut and paste the following text into that box: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered.

When Microsoft releases a patch for this problem, it should re-enable the vulnerable component. But if it does not or you would like to turn it back on for any reason, simply follow step 1 above and then paste the following into the box that pops up:

regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"

Browsing Alternatives

My guess is that Microsoft will indeed release a patch before Oct. 10, the company's next scheduled patch release date. I have put in calls to them to inquire about that possibility but am still awaiting a reply. In the meantime, please be extremely careful about following Web links sent to you in e-mail or instant message. IE users should strongly consider using an alternative browser, such as Firefox, Netscape, or Opera.

Update, 3:01 p.m. ET: Microsoft declined an interview today about the upswing in attacks, but in a statement on its security blog Redmond says it not seeing any signs of widespread attacks that leverage the IE flaw. Still, the statement suggests that they are now leaning toward releasing a patch before Oct. 10. From the MSRC blog: "Attacks remain limited. There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability. We've made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment. So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release. That last bit is important because we were made aware this morning of a third party "update" for this issue. We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates."

Seriously, something I rarely see mentioned when it comes to Windows; DO NOT run as an administrator! By doing so, you are giving out the keys to the castle and enabling these exploits and malware to run freely. Also, NEVER click links in e-mail!

Find me one place, one column, anywhere, where a Mac user has to go through the kind of malarkey as outlined above. In the Windows World, you need not go any further than this very web site to find so much more of the very same drivel to protect your computer. And yet, you continue to tolerate it, and continue to buy even more of it, for Lord knows what masochistic reasons.

I do not and never have worked for Apple. I have worked for a large school that was about 1/3 Macs, and the rest PCs, and watched the self-flagellation that went on with the poor Windows users that just didn't know any better. The people on Macs just kept working - except when the network people decide to try to get rid of the Macs again, and then I got to watch the Mac people have to prove to the administration yet again why the Macs are better.

Here's some comments from the Washington Post's own Rob Pegoraro: "The basic trade-off between Mac OS X and Windows XP has changed dramatically since Apple began selling computers that run on the same Intel processors as many PCs. A Mac can now run every single program a PC can, once you install Apple's free Boot Camp software and use that to load a copy of Windows XP on the Mac's hard drive. Instead of having to balance Apple's security and ease of use with the far wider choice of software provided by Windows, you can have both. So if you've been leaning toward getting a MacBook, Apple's consumer-oriented laptop, but worry that you might have to run some Windows-only program -- go ahead and get the Mac."

"Although Windows supports the greatest variety of software the world has ever seen, you'd never know it from the dreck preinstalled on most Windows laptops. Innovation in the PC industry seems to count as setting Internet Explorer's home page to Google instead of the usual MSN, Yahoo or AOL."

I copied and pasted and ran the command and it worked fine. I use Firefox anyway, but some sites force me into IE. Thanks for printing the command so that it could be cut and pasted without trying to type it. I preferred to use the MS temporary fix rather than the 3rd party fix but I've used 3rd party fixes in the past without a problem.

WhitIV -- If you post the same thing in multiple blog entries -- as you did with the one in question -- it often gets flagged as spam. Try to keep the comments on-topic please, or at least more than just huge dumps of text and links from other sites.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Where I work, we have over 500 Windows systems (mix of XP and 2000), with 95% of them locked down (users running without administrator). We also automatically update Antivirus daily, along with other "defense in depth" levels of security (ex. firewalls, controlled Internet and e-mail access and enterprise patching system). The ONLY systems we have an occassional problem with are the ones running with "administrator"! The point; regardless of what platform you are using (Windows, Mac, Linux, etc.), keeping systems secure is a matter of risk management. A properly setup and managed Windows system is just as secure as any other platform. So let's not use these exploits to tout one platform over the other.

Best practice security measures:

1. Keep systems patched (including all installed software, not just the OS)
2. Run Antivirus and keep it updated daily
3. Use a firewall
4. DO NOT run as an administrator
5. Install ONLY needed software (lowers your attack surface)
6. Be a smart computer user (learn AND follow safe computing practices)

A computer is a very powerful tool, with that power comes great responsibility!

The problem lies with the default installation of XP for users at home. Many of these users have not changed the settings that came with XP and XP SP1. The vast majority of these users run as administrators because
a) that's how the computer was setup,
b) no one told them not to,
c)MS or the system vendor does not force the creation of a limited user account and a separate administrator account, when the customer starts up the machine for the first time, and
d)they'd rather read espn.com than Security Fix.

Bottom line: Whether they're 16-year olds on MySpace or 60-year old seniors on AOL, there's too many non-power home users out there. They don't read this column or ISC SANS or any other security site. We need default installs and security settings designed with that in mind.

If that means "baby-sitting" users with harsher security defaults or updates, so be it. MS should release the workarounds in their security advisories (e.g. unregister vgx.dll) as temporary patches through Automatic Updates.

Ken, great post. I agree, although as much as you can try to save the user from themselves, it still comes down to taking the appropriate responsibility for the power of the tool you are using. All the safety mechanisms regarding a gun are not going to prevent it from being used maliciously. You have to learn how to use the tool! Granted, the software industry could do a dramatically better job of helping in that regard.

Proactively locking down your PC will protect from this threat and all others. Minor nuisance for powerdownloaders, but for your average surfer...gets the job done!!! It's too bad that Microsoft doesn't do something like this, but until they do, Aura is here to defend us.